Threat from automated web application attacks on the rise

Web applications suffered nearly 38,000 cyber attacks per hour at their peak in the period between June and November last year.

Whereas, for the period November 2010 to May 2011, applications experienced about 25,000 attacks per hour.

According to a new report from security firm Imperva, hackers are commonly relying on business logic attacks because they are hard to detect and therefore often successful.

A business logic attack is where a hacker abuses the legitimate business logic of an interactive website or application. This could range from simply guessing or 'brute forcing' the password, to using a 'contact us' feature to drown the server in spam.

The attack can also be used to gather sensitive information.

"Business logic attacks are attractive for hackers since they follow a legitimate flow of interaction of a user with the application," said Amichai Shulman, Imperva's CTO.

"This interaction is guided by an understanding of how specific sequences of operations affect the application's functionality. Therefore, the abuser can lead the application to reveal private information for harvesting, skew information shared with other users and much more – often bypassing security controls."

Imperva found that hackers exploit five common application vulnerabilities: Remote File Inclusion (RFI), SQL Injection (SQLi), Local File Inclusion (LFI), Cross Site Scripting (XSS) and Directory Traversal (DT).

Automatic tools are increasingly being used to perpetrate these attacks as they enable an attacker to target more applications and exploit more vulnerabilities than any manual method possibly could.

Many of these attacks can be prevented with proper website design and security scanning software that analyses requests made through web-facing applications and services.